Identifying Business Processes, Regulations, and Legal Requirements
Each part of the social media security policy must be managed through training, implementation, and monitoring. As the policy itself contains high-level descriptions of expected behavior, which are sometimes translated into friendly guidelines, the company must be able to track and measure the effectiveness of the policy, compliance with legal regulations, and compliance with the policy, which can be used as a key performance indicator; adapt the policy to changing conditions; and establish a chain of custody in problematic cases. Let’s say your company accepts and keeps credit card information, your company must comply with the regulatory requirements of the Payment Card Industry (PCI) 2.0 (https://www.pcisecuritystandards.org/). The PCI standards contain a component that applies to employee training if your social media activities impact customers’ personal information:
12.6: Implement a formal security awareness program to make all personnel aware of the importance of cardholder data security.
12.6.a: Verify the existence of a formal security awareness program for all personnel.
12.6.b: Obtain and examine security awareness program procedures and documentation and perform the following:
12.6.1: Educate personnel upon hire and at least annually. Note: Methods can vary depending on the role of the personnel and their level of access to the cardholder data.
12.6.1.a: Verify that the security awareness program provides multiple methods of communicating awareness and educating personnel (for example, posters, letters, memos, web based training, meetings, and promotions).
12.6.1.b: Verify that personnel attend awareness training upon hire and at least annually.
12.6.2: Require personnel to acknowledge at least annually that they have read and understood the security policy and procedures.
12.6.3: Verify that the security awareness program requires personnel to acknowledge, in writing or electronically, at least annually that they have read and understand the information security policy.
Another example of regulations that have training components is the Massachusetts 201 CMR 17.00: Standards for the Protection of Personal Information of Residents of the Commonwealth:
17.03: Duty to Protect and Standards for Protecting Personal Information
(b) Identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks, including but not limited to:
ongoing employee (including temporary and contract employee) training;
employee compliance with policies and procedures;
17.04: Computer System Security Requirements
(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Sharing customer data or discussing customer information in social media posts is very easy. These rules are an attempt to restrict data from being shared inappropriately.
A wide range of possible online interactions can affect separate company departments. An employee may post a great new product idea for an existing brand, or a customer may post a video or tweet (as in the case of Kevin Smith on Southwest Airlines) about an unhappy customer service experience; an employee in a publicly traded company may post content that breaks legal compliance in heavily regulated industries, such as posts about adverse effects from pharmaceutical drugs; and a customer may express her delight with her favorite brand. Each one of these social media mentions merits further follow up within the company to address the issue in question or to research and seize new potential opportunities and to educate employees about which posts are allowed and which are inappropriate or potentially firing offenses.
Companies generally have established business processes for all job functions, and processes for dealing with customer service complaints and reparations or new business development most likely already exist in the company. If not, processes must be developed. For example, perhaps you need a policy to respond to delighted customers with special treatment (e.g., bell ringer) or to include online mentions in regulatory compliance reporting and resolution. In the case of customer promotions, Federal Trade Commission (FTC) regulations concerning blogger disclosure rules must be observed.
In 2010, the FTC (www.ftc.gov) investigated Ann Taylor for providing bloggers of a marketing event with gifts.2 The investigation was launched after Ann Taylor’s LOFT division held a January 2010 “exclusive blogger preview,” and the company promised that “bloggers who attend will receive a special gift, and those who post coverage from the event will be entered in a mystery gift card drawing where you can win up to $500 at LOFT!” The size of the gifts was not the problem; it was the disclosure in the blog articles that Ann Taylor paid the bloggers in gifts. The FTC’s first investigation was based on its “Guides Concerning the Use of Endorsements and Testimonials in Advertising” (otherwise known as the “Guides”), which cover promoting products and services. The end result was that Ann Taylor was not fined. Although the FTC proved very lenient in this case, they took a first step in managing the social media space. Ann Taylor has since developed a policy of disclosure of all gifts to bloggers. The FTC has powers to regulate “unfair or deceptive acts or practices in or affecting commerce,” including the power to issue regulations, conduct investigations, and bring enforcement actions seeking injunctive relief and civil penalties (see 15 U.S.C. §45). Basically, Ann Taylor needed to clearly define a line between marketing and endorsements. Not to mention, the company should have a defined policy regarding how it uses social media. Legal and Human Resources departments should own this policy.
2Natalie Zmuda, “Ann Taylor Investigations Shows FTC Keeping Close Eye on Blogging,” Advertising Age (April 28, 2010), http://adage.com/article?article_id=143567.
Once the business processes have been mapped out and developed, the Human Resource department should provide training for all employees on how to comply with the expected regulations to ensure a consistent approach to its operating procedures across all business lines. First, however, let’s look more closely at new and evolving role in companies: The Community Manager.